CVE-2025-48042

Before action hooks may execute in certain scenarios despite a request being forbidden

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-863 — CWE-863 Incorrect Authorization

CAPEC

• CAPEC-180 — CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels

CVSS 4.0 Score

7.1

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Vulnerability description

Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels.

This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines 'Elixir.Ash.Actions.Create.Bulk':run/5, 'Elixir.Ash.Actions.Destroy.Bulk':run/6, 'Elixir.Ash.Actions.Update.Bulk':run/6.

This issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a.

Affected

pkg:hex/ash

Source File	Routine
lib/ash/actions/create/bulk.ex	Ash.Actions.Create.Bulk.run/5
lib/ash/actions/destroy/bulk.ex	Ash.Actions.Destroy.Bulk.run/6
lib/ash/actions/update/bulk.ex	Ash.Actions.Update.Bulk.run/6

Status	Type	Version	Changes / Fixed in
affected	semver ⓘ	initial	< 3.5.39

pkg:github/ash-project/ash

Source File	Routine
lib/ash/actions/create/bulk.ex	Ash.Actions.Create.Bulk.run/5
lib/ash/actions/destroy/bulk.ex	Ash.Actions.Destroy.Bulk.run/6
lib/ash/actions/update/bulk.ex	Ash.Actions.Update.Bulk.run/6

Status	Type	Version	Changes / Fixed in
affected	git ⓘ	initial	< 5d1b6a5d0077

References

• https://github.com/ash-project/ash/security/advisories/GHSA-jj4j-x5ww-cwh9 vendor-advisory
• https://github.com/ash-project/ash/commit/5d1b6a5d00771fd468a509778637527b5218be9a patch

Credits

• Remediation developer: Zach Daniel
• Analyst: Jonatan Männchen

CVE record as JSON:  GET /cves/CVE-2025-48042.json
OSV record as JSON:  GET /osv/EEF-CVE-2025-48042.json